Top Nav

WabiSabiLabi Pimping ClamAV Vulnerability & Exploit

Last updated: September 9, 2015 | 4,655 views

Interesting, a new arena for marketing spin and sales talk – the auctioning of exploits.

WabiSabiLabi is pushing hard for a good price for a ClamAV vulnerability and exploit that it has gotten hold of, it’s dosing it up with a good portion of spin to make it seem like the next big thing – I guess because no one bidded on it.

WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.

The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group’s marketing monkeys, who in a blog post are trying to drum up interest.

The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi’s vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.

Representatives from Switzerland-based WabiSabiLabi weren’t immediately available for comment.

In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it’s rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.

Perhaps they didn’t think the whole concept out. Most of the people that need these kind of exploits – have access to them. Those that code trade, those that don’t code steal and trade – those that have no skills..pick up the left overs.

Looks like they sold it…for 600 Euros. Its no longer on their auction block. Wasn’t Wabi’s purpose originally to garner support for reseachers so big software companies would acknowledge their vulnerabilities a pay up. Not in a blackmail way but as a way for sec researchers to legitimately get paid? Doesn’t look like its working out too well.